“记住我”的身份验证功能,它总是意味着“不安全”网站吗? [英] 'Remember-me' authentication feature, does it always mean 'Unsecure' Website?
问题描述
我正在考虑在我的webapp上实施经典的记住我复选框,以允许已认证的用户在返回访问我的网站后被记住。
I'm considering to implement the classic 'remember-me' checkbox on my webapp to allow the authenticated user to be 'remembered' once he returns to visit my website.
Gmail , Facebook 和其他人都有这种功能,但我不太确定它是多么安全。
Gmail, Facebook and others have this kind of feature but I'm not too sure how secure it can be.
像 Spring Security 这样的Java框架使用基于哈希的令牌方法'。生成的令牌(使用username,password,expirationTime和privateKey)存储在客户端的Cookie标记= 567whatever567'中。
A Java Framework like Spring Security uses an 'Hash-Based Token Approach'. The token that gets generated (using username,password,expirationTime and a privateKey) is stored in the Client's Cookies 'token=567whatever567'. The token is then reused to re-authenticate the user the next time he comes back.
我担心的是,即使登录过程发生在https下,
I'm concerned of the fact that even if the login process happened under a https connection, on every subsequent http request the cookie will be sent unencrypted on the net.
基本上每个人都可以读取令牌并重用它来进行身份验证。
Basically everybody can read the token and reuse it to authenticate.
我想了解Gmail或Facebook如何实现此功能。我可以看到一些Cookie,如FB中的presence = DJ267619445G09H0L15228675 .....,Gmail中的其他人。
我不太确定他们是否使用其他技巧来防止某人试图模仿
I'm trying to have a look at how Gmail or Facebook are implementing this functionality. I can see some Cookie like 'presence=DJ267619445G09H0L15228675.....' in FB, others in Gmail.
I'm not too sure if they use some other trick to protect against someone that tries to impersonate some other user.
我会尝试使用类似 cURL ,看看他们是否只使用特定的令牌来记住用户。
如果他们看起来像一个大的安全问题。也许不是facebook(我不在乎它),但使用Gmail,如果你不设置'始终使用https 将使用http连接,它将通过互联网发送您的未加密令牌。
您认为如何?
I'll try to impersonate myself using something like cURL to see if they're only using a specific token to remember the user.
If they are it looks to me like a big security issue. Maybe not facebook(I don't care of it) but with Gmail if you don't set 'Use always https' an http connection will be used and it will send your unencrypted tokens over internet.
What do you think?
我也注意到Facebook用户名/密码字段暴露在http(而不是https)下。在这方面,我也想知道:所有的网站暴露用户名/密码字段over http不安全'性质'。一旦通过http发送请求,就没有重定向到https可以修复凭证对世界可见问题。
I've also noticed that Facebook username/password fields are exposed under http (not https). In this regard I'm also wondering : Are all the websites exposing username/password field over http unsecure 'by nature'. Once the request is sent over http there's no 'redirect to https' that can fix the 'credentials visible to the world' problem.
感谢
编辑:
我的疑虑很有根据 http://codebutler.com/
感谢 Firesheep 创建者突出问题!!!
Edit:
My worries were well founded http://codebutler.com/
Thanks to the Firesheep creators for highlighting the problem!!!
推荐答案
实现记住我不是一个问题。你需要做的是保持会话活着久(并设置cookie的最后一个长)。即使Gmail会在一段时间后退出登录(我认为这是两个星期或一个月)。但是,您需要意识到,保持相同的会话打开更长时间增加了劫持它的可能性。作为对策,您需要增加会话标识符的强度。会话标识符是cookie中的一个(或在一些软件中通常看作file.php?PHPSESSID = 1234 ...的URI)。
It's not such a problem to implement a remember-me. What you need to do is to keep the session alive for long (and set the cookie to last long). Even Gmail will log you out after certain period (I think it's two weeks or a month). However, you need to realize that keeping the same session open longer increases the possibility to hijack into it. As a countermeasure, you need to increase the strength of your session identifier. Session identifier is the one that is in the cookie (or in the URI as commonly seen in some software as "file.php?PHPSESSID=1234...").
关键是维护一个强大的会话标识符。例如,在Gmail中,你有一个cookie GX一个值类似于
The key is to maintain a strong session identifier. For example, in Gmail, you have a cookie GX with a value similar to
DQAAAJoAAAA8mnjaAwgkS7y8Ws5MYCl-PAQLp9ZpMXpGKR47z4L9mlBH-4qEyApAtFbnLkzv1pPqxua1hOWMGiKYpBZr-h7Icyb-NUUg2ZW_nUFIymvw9KjmjSECYTowbCsDerkAxCzSDa83b5YC1mykPv1a9ji4znt6Fsna-AKgNTntvmUxeJ92ctsSlg9iGySEmXnisVyyJiQvI8jzbZqSpE_N2RKZ
Session劫持几乎不可能的原因是,因为会话标识符是如此强烈,因为网站使用HTTPS无处不在。没有人可以猜测或以其他方式获取您的会话标识符(因此不能劫持到您的会话)。快速看看,上面的会话标识符似乎有点〜1250位的强度,1 * 10 ^ 376不同的可能性。没有人可以猜到。
The reason why Session Hijacking is pretty much impossible is, because the session identifier is so strong, and because the site utilizes HTTPS everywhere. No one can guess or otherwise get your session identifier (thus can't hijack into your session). On a quick look, the session identifier above seems to have somewhat ~1250-bits of strength, 1*10^376 different possibilities. No one can guess that.
显然,总有潜在的方法仍然劫持到会话。例如,XSS漏洞打开了获得你的cookie,因此你的会话标识符的门道,但这不是你的会话错误,在任何方面,与记住我无关。
Obviously there will be always potential ways to still hijack into the session. For example, XSS vulnerabilities open the door way to get your cookies and therefore your session identifier, but this isn't your sessions fault in any way, and has nothing to do with a "remember-me".
我担心的是,即使登录过程发生在https连接下,在每次后续的http请求时,cookie将在网络上未加密地发送。
I'm concerned of the fact that even if the login process happened under a https connection, on every subsequent http request the cookie will be sent unencrypted on the net.
如果您在HTTPS中将Cookie安全标记设置为true,则在通过HTTP访问网站时,不会发送Cookie。这是一个必须做的只有HTTPS的网站。
If you set the cookie secure flag to true while in HTTPS, the cookie will never be sent when accessing the site via HTTP. It is a must to do for HTTPS-only sites.
一般来说,人们似乎只使用HTTPS登录页面,这是错误的。如果真的很关心,他应该在整个页面上使用HTTPS。否则,无法阻止所有会话劫持尝试。
In general, people seem to only use HTTPS for the log-in page, which is wrong. If one really cares, he should use HTTPS all over the page. Otherwise, it's impossible to prevent all Session Hijacking attempts.
为什么很多人仍然使用HTTPS仅用于登录部分?可能是因为他们没有意识到什么是赌注,或者因为太CPU太重,无法使用HTTPS。但是,仍然最好使用HTTPS登录,而不是在任何地方使用它 - 因为它加密了凭证(因此,只有会话标识符可以在以后被盗,而不是登录时的实际凭据)。
Why do many still use HTTPS just for the log-in part? Probably because they don't realize what's in the stakes, or because it's too CPU heavy to use HTTPS everywhere. However, it's still better to use HTTPS for the log-in than not to use it anywhere - because it encrypts the credentials (thus only the session identifier can be stolen later on, not the actual credentials during log-on).
也许不是facebook(我不在乎),但是如果你不设置'使用https'http连接将使用Gmail使用,它会通过互联网发送您的未加密令牌。
你觉得怎么样?
Maybe not facebook(I don't care of it) but with Gmail if you don't set 'Use always https' an http connection will be used and it will send your unencrypted tokens over internet. What do you think?
我认为如果可能的话,在所有情况下,值都应默认为HTTPS。唯一真正的原因,为什么不使用HTTPS是金钱(=性能/硬件)。
I think the value should default to HTTPS in all cases if possible. The only real reason as to why not use HTTPS is money (=performance/hardware).
这篇关于“记住我”的身份验证功能,它总是意味着“不安全”网站吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
